fix(errorprone): flag Math.class literal to close reflection bypass

halibobo1205 · halibobo1205 · commit 385f6e451364 · 2026-05-29T06:29:26.000Z
matchMemberSelect only handled VarSymbol members, so the class literal
Math.class (and java.lang.Math.class) resolved to the Math ClassSymbol
and slipped through, leaving a reflective back door to java.lang.Math.
Detect .class selects whose qualifier is java.lang.Math explicitly.

Addresses codeant-ai review on ForbidJavaLangMath.java.
diff --git a/errorprone/src/main/java/errorprone/ForbidJavaLangMath.java b/errorprone/src/main/java/errorprone/ForbidJavaLangMath.java
@@ -33,6 +33,7 @@
  *   <li>method references: {@code Math::max}</li>
  *   <li>field access: {@code Math.PI}, {@code Math.E}</li>
  *   <li>statically-imported fields used bare: {@code import static java.lang.Math.PI; ... PI}</li>
+ *   <li>class literals (reflection back door): {@code Math.class}</li>
  * </ul>
  *
  * <p>{@code java.lang.StrictMath} itself is intentionally allowed — it is the deterministic
@@ -68,6 +69,13 @@ public Description matchMemberReference(MemberReferenceTree tree, VisitorState s
 
   @Override
   public Description matchMemberSelect(MemberSelectTree tree, VisitorState state) {
+    // Type-level references such as the class literal `Math.class` resolve to the Math
+    // ClassSymbol rather than a member, and are a back door to java.lang.Math via reflection
+    // (e.g. Math.class.getMethod("sin").invoke(...)). Flag them explicitly.
+    if (tree.getIdentifier().contentEquals("class")
+        && isJavaLangMathClass(ASTHelpers.getSymbol(tree.getExpression()))) {
+      return describeMatch(tree);
+    }
     // Method selects (Math.max) are already reported via matchMethodInvocation /
     // matchMemberReference; only flag field selects (Math.PI, Math.E) here to avoid
     // double-reporting the same usage.
@@ -90,6 +98,11 @@ public Description matchIdentifier(IdentifierTree tree, VisitorState state) {
     return flagIfMathMember(sym, tree);
   }
 
+  private static boolean isJavaLangMathClass(Symbol sym) {
+    return sym instanceof Symbol.ClassSymbol
+        && ((Symbol.ClassSymbol) sym).getQualifiedName().contentEquals(JAVA_LANG_MATH);
+  }
+
   private Description flagIfMathMember(Symbol sym, Tree tree) {
     if (sym == null) {
       return Description.NO_MATCH;
